Why Amazon should password-protect its Alexa app

I recently wrote a how-to guide for using Drop In, Amazon's calling feature that lets people connect to each other via voice or video without the recipient needing to actually answer. While running the feature through its paces and testing it a number of times, I realized just how easy it is to Drop In on someone without needing to prove who you are first. In the same way password manager apps and journaling apps are password-protected for your security and privacy, the Alexa app should be password-protected so that no one can Drop In on your family, pretending they're you.

Drop In is a great feature for checking in on kids and the elderly

Amazon Echo

Drop In — just as it sounds — lets a person drop in on a household without needing to be "let in." The caller doesn't need an Echo device but does need the Alexa app. The recipient needs an Echo device, whether it's the standard Echo, the Dot, the Tap, or the Show.

What happens is (after both parties give permission), I can tap a button in the Alexa app or speak into my Echo, "Alexa, Drop In on my mom," and a call will be initiated. On my mom's Echo, the call will go through automatically. She doesn't have to answer it. The speaker connects and I can hear what's going on on her end immediately (unless she tells Alexa to hang up right away).

If she Drops In on me using the video chat feature (I have a Show), she can see everything in my room automatically (though it starts off as a foggy blur for a few seconds).

This is a fantastic feature if you're checking up on your kids after school and before you've gotten home from work to find out if they're fighting, doing homework, watching TV, etc. When you Drop In, they don't have time to stop what they're doing before you're connected. You're just there as if you walked in the front door without knocking first.

It's also incredibly useful if you're taking care of an elderly family member. When you Drop In, they don't have to get up to answer. It just happens. If something is wrong; if someone has fallen down, you'll be able to know right away and be able to send help. The Show is especially helpful in this case because you can also see if everything is alright, not just wait for someone to call out.

The person receiving a Drop In does need an Echo device, but the person making the call can do so from the Alexa app, without the need for an Echo device. That means anyone with the Alexa app on their phone can Drop In on someone with an Echo device (after permission is granted, of course). You only need to invest in one Echo device to take advantage of Drop In.

The Alexa app does not protect your contacts' privacy

The Alexa app doesn't require any kind of password protection or identification confirmation in order to access every part of it. Whether you're changing skills, updating your profile information, or Dropping In on your mom, there is never a step where you are asked to confirm your identity in order to continue. This last action is what sent up red flags for me.

There is no reason the Alexa app should not require identity confirmation. Once you've completed the setup process, you use the app very infrequently. I usually only open the Alexa app to check for new Echo skills or to use the calling and messaging feature. Convenience is not a factor. Security is.

There's no confirmation of who you are to place a Drop In call. That should send up red flags for everyone.

If I'm going to tell my mom to give me permission to Drop In on her any time I want to without giving her advanced notice, she better be completely confident that I'm the only one that's going to use it.

If you give someone permission to Drop In on you, and one day a different person is listening in at your house, or even worse, watching you, I'm pretty sure you'd be upset to say the least. Without password protection or identity confirmation, there is a real possibility of this happening.

While it's easy to protect our phones with a passcode or fingerprint ID, not everyone does. If your phone gets lost or stolen, and it's not passcode-protected, anyone — any stranger — has the opportunity to Drop In on your most trusted contacts, uninvited. It's not entirely unlike you telling a stranger at a bar where your sister lives and then mentioning that she always leaves the front door open.

Drop In is different than a phone call and should therefore be more secure

Our phone contacts aren't password protected, so what's the difference with the Alexa app?

It's all about the Drop In. If someone had access to my phone and started calling my friends and family, they would be able to actually answer (or deny) the call. No connection happens without an action on their part.

With Drop In, someone can listen in or even watch what's going on in your house without ever saying a word and possibly without you even knowing it's happening.

Now, to be clear, you hear three chimes when someone Drops In on you, and on the Echo speakers, there is a glowing green ring around the top. So if you're in the room, you'll hear and see that someone has Dropped In on you. On the Show, the camera is activated, so your screen shows who's on the other end of the line.

But if you're, say, in the kitchen when a Drop In takes place on your Echo in the living room across the house and you didn't notice it, a person could potentially listen in on (or watch) everything that's happening until the call has been noticed.

The solution is simple: Password-protect the Alexa app

There doesn't need to be a complete overhaul of the Alexa app and all its features. Amazon can simply add a feature that makes it so you have to use a password or fingerprint ID in order to open the app. They could even make it optional. If you don't use Drop In and don't think you need to password protect the Alexa app, no problem.

If you do, however, use Drop In or simply want an added layer of protection, Amazon could make it something you could enable in the settings section.

My iPhone is protected with a complex passcode and Touch ID, but I still have separate passwords or secondary Touch ID for my bank and credit card apps, my journaling apps, my finance tracker, and my password manager.

I want my mom to know that, even if someone was able to get into my phone, there is no way anyone but me can Drop In on her unexpectedly. Until Amazon adds something that requires me to confirm my identity before opening the Alexa app, I've told my mom to revoke permission for me to Drop In on her.

Help a girl out, Amazon.

Lory Gil

Lory is a renaissance woman, writing news, reviews, and how-to guides for iMore. She also fancies herself a bit of a rock star in her town and spends too much time reading comic books.  If she's not typing away at her keyboard, you can probably find her at Disneyland or watching Star Wars (or both).